jnummelin
Repos
64
Followers
35

Events

issue comment
k0s cluster breaks when local DHCP address changes

Looking more closely to how etcd is getting configured:

# cat /proc/$(pidof etcd)/cmdline | xargs -0 | tr ' ' '\n' | grep url
--listen-client-urls=https://127.0.0.1:2379
--advertise-client-urls=https://127.0.0.1:2379
--initial-advertise-peer-urls=https://1.2.3.4:2380
--listen-peer-urls=https://1.2.3.4:2380

where 1.2.3.4 is my tailscale address for the machine.

To me this looks like how it is supposed to be configured based on the fact that I specified privateInterface: tailscale0 in the host config.

Created at 1 hour ago
issue comment
k0s cluster breaks when local DHCP address changes

Are tailscale IPs static?

Yes, according to the docs:

Tailscale makes it easy to connect to your network by providing you with a stable IP address for each node (a device or a server).
Created at 1 hour ago
issue comment
k0s cluster breaks when local DHCP address changes

I did a quick try with tailscale enabled boxes:

apiVersion: k0sctl.k0sproject.io/v1beta1
kind: Cluster
metadata:
  name: k0s-cluster
spec:
  hosts:
  - ssh:
      address: 1.2.3.4 # VM in public cloud
      user: root
    role: controller
    privateInterface: tailscale0
  - ssh:
      address: 192.168.205.4 # machine running on Multipass VM
      user: ubuntu
    role: worker
    privateInterface: tailscale0

In this case both k0s and k0sctl seem to properly detect tailscale addresses and connect the worker to controller (kube-api) via tailscale network:

# k0s kc get node -o wide
NAME                   STATUS   ROLES    AGE   VERSION       INTERNAL-IP     EXTERNAL-IP   OS-IMAGE             KERNEL-VERSION      CONTAINER-RUNTIME
k0s-tailscale-wrkr-1   Ready    <none>   12m   v1.26.0+k0s   100.114.56.31   <none>        Ubuntu 22.04.1 LTS   5.15.0-57-generic   containerd://1.6.15
Created at 1 hour ago
issue comment
k0s cluster breaks when local DHCP address changes

@sjdrc Could you share your current k0sctl.yaml config?

Created at 2 hours ago
delete branch
jnummelin delete branch custom-telemetry-attributes
Created at 21 hours ago

Add possibility to inject custom telemetry attributes via ConfigMap

This allows us to add certain "pre-defined" data e.g. from Lens Desktop use case so that we can better identify these uses of k0s in telemetry data.

Signed-off-by: Jussi Nummelin jnummelin@mirantis.com

Merge pull request #2647 from jnummelin/custom-telemetry-attributes

Add possibility to inject custom telemetry attributes via ConfigMap

Created at 21 hours ago
pull request closed
Add possibility to inject custom telemetry attributes via ConfigMap

Signed-off-by: Jussi Nummelin jnummelin@mirantis.com

Description

This allows us to add certain "pre-defined" data e.g. from Lens Desktop use case so that we can better identify these uses of k0s in telemetry data.

So essentially, if a ConfigMap kube-system/k0s-telemetry exists, we will include all KV pairs to telemetry data.

Type of change

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] Documentation update

How Has This Been Tested?

  • [x] Manual test
  • [ ] Auto test added

Checklist:

  • [x] My code follows the style guidelines of this project
  • [x] My commit messages are signed-off
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [x] My changes generate no new warnings
  • [x] I have added tests that prove my fix is effective or that my feature works
  • [x] New and existing unit tests pass locally with my changes
  • [x] Any dependent changes have been merged and published in downstream modules
  • [x] I have checked my code and corrected any misspellings
Created at 21 hours ago

Vulnerability fixes and security scanning

Merge pull request #3 from makhov/vuln-fix-and-trivy-scanning

OS vulnerability fixes and security scanning

Created at 1 day ago
pull request closed
OS vulnerability fixes and security scanning

This PR fixes only OS vulnerabilities and doesn't cover binary ones since we currently download them as is. We may consider updating CNI plugins to the new v1.2.0 version.

Before:


quay.io/k0sproject/cni-node:1.1.1-k0s.0 (alpine 3.15.4)
=======================================================
Total: 34 (UNKNOWN: 0, LOW: 2, MEDIUM: 10, HIGH: 15, CRITICAL: 7)

┌───────────────────────┬────────────────┬──────────┬───────────────────┬──────────────────┬─────────────────────────────────────────────────────────────┐
│        Library        │ Vulnerability  │ Severity │ Installed Version │  Fixed Version   │                            Title                            │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ curl                  │ CVE-2022-32207 │ CRITICAL │ 7.80.0-r1         │ 7.80.0-r2        │ curl: Unpreserved file permissions                          │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32207                  │
│                       ├────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32221 │          │                   │ 7.80.0-r4        │ curl: POST following PUT confusion                          │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32221                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-42915 │          │                   │                  │ curl: HTTP proxy double-free                                │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-42915                  │
│                       ├────────────────┼──────────┤                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-27780 │ HIGH     │                   │ 7.80.0-r2        │ curl: percent-encoded path separator in URL host            │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-27780                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-27781 │          │                   │                  │ curl: CERTINFO never-ending busy-loop                       │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-27781                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-27782 │          │                   │                  │ curl: TLS and SSH connection too eager reuse                │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-27782                  │
│                       ├────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-42916 │          │                   │ 7.80.0-r4        │ curl: HSTS bypass via IDN                                   │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-42916                  │
│                       ├────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-43551 │          │                   │ 7.80.0-r5        │ curl: HSTS bypass via IDN                                   │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-43551                  │
│                       ├────────────────┼──────────┤                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32205 │ MEDIUM   │                   │ 7.80.0-r2        │ curl: Set-Cookie denial of service                          │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32205                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32206 │          │                   │                  │ curl: HTTP compression denial of service                    │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32206                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32208 │          │                   │                  │ curl: FTP-KRB bad message verification                      │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32208                  │
│                       ├────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-43552 │          │                   │ 7.80.0-r5        │ curl: Use-after-free triggered by an HTTP proxy deny        │
│                       │                │          │                   │                  │ response                                                    │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-43552                  │
│                       ├────────────────┼──────────┤                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-35252 │ LOW      │                   │ 7.80.0-r3        │ curl: Incorrect handling of control code characters in      │
│                       │                │          │                   │                  │ cookies                                                     │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-35252                  │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libcrypto1.1          │ CVE-2022-2097  │ MEDIUM   │ 1.1.1o-r0         │ 1.1.1q-r0        │ openssl: AES OCB fails to encrypt some bytes                │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libcurl               │ CVE-2022-32207 │ CRITICAL │ 7.80.0-r1         │ 7.80.0-r2        │ curl: Unpreserved file permissions                          │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32207                  │
│                       ├────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32221 │          │                   │ 7.80.0-r4        │ curl: POST following PUT confusion                          │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32221                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-42915 │          │                   │                  │ curl: HTTP proxy double-free                                │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-42915                  │
│                       ├────────────────┼──────────┤                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-27780 │ HIGH     │                   │ 7.80.0-r2        │ curl: percent-encoded path separator in URL host            │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-27780                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-27781 │          │                   │                  │ curl: CERTINFO never-ending busy-loop                       │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-27781                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-27782 │          │                   │                  │ curl: TLS and SSH connection too eager reuse                │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-27782                  │
│                       ├────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-42916 │          │                   │ 7.80.0-r4        │ curl: HSTS bypass via IDN                                   │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-42916                  │
│                       ├────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-43551 │          │                   │ 7.80.0-r5        │ curl: HSTS bypass via IDN                                   │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-43551                  │
│                       ├────────────────┼──────────┤                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32205 │ MEDIUM   │                   │ 7.80.0-r2        │ curl: Set-Cookie denial of service                          │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32205                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32206 │          │                   │                  │ curl: HTTP compression denial of service                    │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32206                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-32208 │          │                   │                  │ curl: FTP-KRB bad message verification                      │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-32208                  │
│                       ├────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-43552 │          │                   │ 7.80.0-r5        │ curl: Use-after-free triggered by an HTTP proxy deny        │
│                       │                │          │                   │                  │ response                                                    │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-43552                  │
│                       ├────────────────┼──────────┤                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-35252 │ LOW      │                   │ 7.80.0-r3        │ curl: Incorrect handling of control code characters in      │
│                       │                │          │                   │                  │ cookies                                                     │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-35252                  │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libssl1.1             │ CVE-2022-2097  │ MEDIUM   │ 1.1.1o-r0         │ 1.1.1q-r0        │ openssl: AES OCB fails to encrypt some bytes                │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2097                   │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ libxml2               │ CVE-2022-2309  │ HIGH     │ 2.9.14-r0         │ 2.9.14-r1        │ lxml: NULL Pointer Dereference in lxml                      │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-2309                   │
│                       ├────────────────┤          │                   ├──────────────────┼─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-40303 │          │                   │ 2.9.14-r2        │ libxml2: integer overflows with XML_PARSE_HUGE              │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-40303                  │
│                       ├────────────────┤          │                   │                  ├─────────────────────────────────────────────────────────────┤
│                       │ CVE-2022-40304 │          │                   │                  │ libxml2: dict corruption caused by entity reference cycles  │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-40304                  │
├───────────────────────┼────────────────┤          ├───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ ncurses-libs          │ CVE-2022-29458 │          │ 6.3_p20211120-r0  │ 6.3_p20211120-r1 │ ncurses: segfaulting OOB read                               │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-29458                  │
├───────────────────────┤                │          │                   │                  │                                                             │
│ ncurses-terminfo-base │                │          │                   │                  │                                                             │
│                       │                │          │                   │                  │                                                             │
├───────────────────────┼────────────────┼──────────┼───────────────────┼──────────────────┼─────────────────────────────────────────────────────────────┤
│ zlib                  │ CVE-2022-37434 │ CRITICAL │ 1.2.12-r1         │ 1.2.12-r2        │ zlib: heap-based buffer over-read and overflow in inflate() │
│                       │                │          │                   │                  │ in inflate.c via a...                                       │
│                       │                │          │                   │                  │ https://avd.aquasec.com/nvd/cve-2022-37434                  │
└───────────────────────┴────────────────┴──────────┴───────────────────┴──────────────────┴─────────────────────────────────────────────────────────────┘

After:

cni-node (alpine 3.17.1)
===================
Total: 0 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 0, CRITICAL: 0)
Created at 1 day ago

Add possibility to inject custom telemetry attributes via ConfigMap

This allows us to add certain "pre-defined" data e.g. from Lens Desktop use case so that we can better identify these uses of k0s in telemetry data.

Signed-off-by: Jussi Nummelin jnummelin@mirantis.com

Created at 1 day ago
issue comment
Pods cannot resolve Node's IPs

does this communication between the worker and the controller occurs in the port 8132

Yes, a worker opens a connection to controller node on port 8132. The controller (kube-api mostly) then uses that connection when it needs to connect kubelet (logs, exec etc.) and other node resources.

Created at 2 days ago

Bump google.golang.org/grpc from 1.52.0 to 1.52.1

Bumps google.golang.org/grpc from 1.52.0 to 1.52.1.


updated-dependencies:

  • dependency-name: google.golang.org/grpc dependency-type: direct:production update-type: version-update:semver-patch ...

Signed-off-by: dependabot[bot] support@github.com

Merge pull request #2640 from k0sproject/dependabot/go_modules/google.golang.org/grpc-1.52.1

Bump google.golang.org/grpc from 1.52.0 to 1.52.1

Created at 1 week ago
delete branch
jnummelin delete branch dependabot/go_modules/google.golang.org/grpc-1.52.1
Created at 1 week ago
pull request closed
Bump google.golang.org/grpc from 1.52.0 to 1.52.1

Bumps google.golang.org/grpc from 1.52.0 to 1.52.1.

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Created at 1 week ago
pull request opened
Add possibility to inject custom telemetry attributes via ConfigMap

Signed-off-by: Jussi Nummelin jnummelin@mirantis.com

Description

This allows us to add certain "pre-defined" data e.g. from Lens Desktop use case so that we can better identify these uses of k0s in telemetry data.

So essentially, if a ConfigMap kube-system/k0s-telemetry exists, we will include all KV pairs to telemetry data.

Type of change

  • [ ] Bug fix (non-breaking change which fixes an issue)
  • [x] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • [ ] Documentation update

How Has This Been Tested?

  • [x] Manual test
  • [ ] Auto test added

Checklist:

  • [x] My code follows the style guidelines of this project
  • [x] My commit messages are signed-off
  • [x] I have performed a self-review of my own code
  • [x] I have commented my code, particularly in hard-to-understand areas
  • [x] I have made corresponding changes to the documentation
  • [x] My changes generate no new warnings
  • [x] I have added tests that prove my fix is effective or that my feature works
  • [x] New and existing unit tests pass locally with my changes
  • [x] Any dependent changes have been merged and published in downstream modules
  • [x] I have checked my code and corrected any misspellings
Created at 1 week ago
create branch
jnummelin create branch custom-telemetry-attributes
Created at 1 week ago